-
-
Notifications
You must be signed in to change notification settings - Fork 765
Multiple apps using same clientid #2662
Comments
Hi molnara, If all those steps are ok, then the issue is probably coming from one of your client. |
Every client must do its own authentication roundtrip - but the user only has to login once. I would advise against sharing cookies between clients - this will have side effects down the road. Also each client might need different claims. |
thanks for the response thabart. I checked cookie names, all default to what identity server generates( .Aspnet.Cookies and ARRAffinity?). Using implicit flow(Flow in dbo.Client table is 2) (response_type= code id_token token). I did set RequireConsent = false as I don't need that feature. Secrets are all the same. So strange why this works fine on localhost, like the sub domain has something to do with it? Also what do you mean by client_basic and client_private_key? I don't see these anywhere in the documentation? Thanks again for your help. |
sorry leastprivilege, didn't see your post before I replied, thanks. So you mean if I want the user to be logged in, I need to set like the home controller to have an [Authenticate] to automatically do a round trip to identityserver? On localhost this is not necessary for some reason if the user is already logged in from another website. |
Even if your HomeController is decorated with the Authenticate attribute, the issue will not be fixed. When you're using an authentication middleware like "CookieAuthentication", it's trying to fetch the cookie from the HTTP request header, validate it & set the current thread. A workaround is to generate a cookie valid for the domain "lab.local" example :
I'm not a very big fan of using shared-cookie because you open security breach to "cross-subdomain cookie attacks" Note : In my previous comment I mentionned the different ways to authenticate the client (client_secret_basic & client_secret_post ...) you can take a look here : http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication |
Adding the [Authorize] attribute worked. If all these web application, all used by same company on same sub domains and use the same authentication, is it best practice to use one clientid or seperate clientid for each web application? |
Its better to have separate clients because they can have different scopes |
Question
I have the following sub domains:
idsvr.lab.local
client1.lab.local
client2.lab.local
When I login to client1, I was expecting to automatically be logged into client2, as this happens when I am developing using localhost.(Also they are both using the same clientid, but I also tried seperate clientids) I have to click the login button on client2, which then redirects to idsvr and then back to client2. Sorry, if someone already asked this question, having trouble searching for this issue.
Thanks in advance for any guidance.
The text was updated successfully, but these errors were encountered: